CNIC Information System with Pakdata Cf In Pakistan
Ā
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
1. NIST CSF 2.0:
What has changed?
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov
2.0, 02.03.2024
2. Agenda
2
1. Journey To CSF 2.0
2. New Title
3. New Scope
4. What is the Framework?
5. Desired outcomes
6. Components of the Framework
7. Purpose
8. The new function (Govern) and
changes in Categories and
Subcategories
9. Framework Profiles
10. CSF Tiers: New criteria
11. Steps for Creating and Using Profiles
12. Other publications
13. NIST CSF 2.0 Mindmap
14. Significant Updates
15. NIST CSF 2.0 vs ISO 27001:2002
16. NIST CSF 2.0 and ISO 27001:2022 (mapping)
17. EU NIS 2 Directive and NIST CSF 2.0 (mapping)
4. 4
Why is NIST deciding to
update the Framework
now toward CSF 2.0?
The NIST Cybersecurity Framework was intended to be a living
document that is refined, improved, and evolves over time.
These updates help the Framework keep pace with technology and
threat trends, integrate lessons learned, and move best practice to
common practice.
NIST initially produced the Framework in 2014 and updated it in April
2018 with CSF 1.1. Based on stakeholder feedback, in order to reflect
the ever-evolving cybersecurity landscape and to help organizations
more easily and effectively manage cybersecurity risk, NIST is working
on a new, more significant update to the Framework: CSF 2.0.
www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-
journey-csf-20
7. 7
New Title
CSF 1.1 CSF 2.0
Framework for Improving
Critical Infrastructure
Cybersecurity
The NIST Cybersecurity
Framework 2.0
8. 8
New Scope (wider)
NIST CSF 2.0 is designed to be used by organizations of all
sizes and sectors, including industry, government, academia,
and nonprofit organizations, regardless of the maturity
level of their cybersecurity programs.
The CSF is a foundational resource that may be adopted
voluntarily and through governmental policies and
mandates.
The CSFās taxonomy and referenced standards, guidelines, and
practices are not country-specific, and previous versions of
the CSF have been leveraged successfully by many
governments and other organizations both inside and outside
of the United States.
9. 9
What is the Framework?
The Cybersecurity Framework (CSF) 2.0 is designed to help
organizations of all sizes and sectors ā including industry,
government, academia, and nonprofit ā to manage and
reduce their cybersecurity risks.
It is useful regardless of the maturity level and technical
sophistication of an organizationās cybersecurity programs.
Nevertheless, the CSF does not embrace a one-size-fits-all
approach. Each organization has both common and unique risks,
as well as varying risk appetites and tolerances, specific
missions, and objectives to achieve those missions. By necessity,
the way organizations implement the CSF will vary.
Current revision: 2.0, February 26, 2024
10. 10
Desired outcomes
Ideally, the CSF will be used to address cybersecurity risks
alongside other risks of the enterprise, including those that are
financial, privacy, supply chain, reputational, technological, or
physical in nature.
The CSF describes desired outcomes that are intended to be
understood by a broad audience, including executives,
managers, and practitioners, regardless of their cybersecurity
expertise. Because these outcomes are sector-, country-, and
technology-neutral, they provide an organization with the
flexibility needed to address their unique risks, technologies, and
mission considerations. Outcomes are mapped directly to a
list of potential security controls for immediate
consideration to mitigate cybersecurity risks.
11. 11
Components of
the Framework
(CSF 2.0)
NIST CSF 2.0 includes the following components:
ā¢ CSF Core, the nucleus of the CSF, which is a taxonomy of
high-level cybersecurity outcomes that can help any
organization manage its cybersecurity risks. The CSF Core
components are a hierarchy of Functions, Categories, and
Subcategories that detail each outcome.
ā¢ CSF Organizational Profiles, which are a mechanism for
describing an organizationās current and/or target
cybersecurity posture in terms of the CSF Coreās outcomes.
ā¢ CSF Tiers, which can be applied to CSF Organizational Profiles
to characterize the rigor of an organizationās cybersecurity risk
governance and management practices. Tiers can also provide
context for how an organization views cybersecurity risks and
the processes in place to manage those risks.
12. 12
Purpose
(CSF 2.0)
An organization can use the CSF Core, Profiles, and Tiers with the supplementary
resources to understand, assess, prioritize, and communicate cybersecurity risks.
Understand and
Assess
Prioritize Communicate
Describe the current or
target cybersecurity
posture of part or all of
an organization,
determine gaps, and
assess progress toward
addressing those gaps.
Identify, organize, and
prioritize actions for
managing cybersecurity
risks that align with the
organizationās mission,
legal and regulatory
requirements, and risk
management and
governance expectations.
Provide a common
language for
communicating inside
and outside the
organization about
cybersecurity risks,
capabilities, needs, and
expectations.
14. 14
CSF 1.1 CSF 2.0
- Govern (GV): The organizationās cybersecurity
risk management strategy, expectations, and
policy are established, communicated, and
monitored.
Identify (ID): Develop an organizational understanding
to manage cybersecurity risk to systems, people, assets,
data, and capabilities.
Identify (ID): The organizationās current
cybersecurity risks are understood.
Protect (PT): Develop and implement appropriate
safeguards to ensure delivery of critical services.
Protect (PT): Safeguards to manage the
organizationās cybersecurity risks are used.
Detect (DE): Develop and implement appropriate
activities to identify the occurrence of a cybersecurity
event.
Detect (DE): Possible cybersecurity attacks
and compromises are found and analyzed.
Respond (RS): Develop and implement appropriate
activities to take action regarding a detected
cybersecurity incident.
Respond (RS): Actions regarding a detected
cybersecurity incident are taken.
Recover (RC): Develop and implement appropriate
activities to maintain plans for resilience and to restore
any capabilities or services that were impaired due to a
cybersecurity incident.
Recover (RC): Assets and operations affected by
a cybersecurity incident are restored.
17. CSF 2.0 Pyramid
17
CSF Core: A taxonomy of high-level cybersecurity
outcomes that can help any organization manage its
cybersecurity risks. Its components are a hierarchy of
Functions, Categories, and Subcategories that detail each
outcome
ā¢ CSF Function: The highest level of organization for
cybersecurity outcomes. There are six CSF Functions:
Govern, Identify, Protect, Detect, Respond, and
Recover
ā¢ CSF Category: A group of related cybersecurity
outcomes that collectively comprise a CSF Function
ā¢ CSF Subcategory: A group of more specific
outcomes of technical and management cybersecurity
activities that comprise a CSF Category
ā¢ CSF Implementation Example: A concise, action-
oriented, notional illustration of a way to help achieve
a CSF Core outcome
Functions: 6
Categories: 22
Subcategories: 106
Implementation
Examples: 363
18. A CSF Organizational Profile describes an organizationās current
and/or target cybersecurity posture in terms of the Coreās outcomes.
Every Organizational Profile includes one or both of the following:
ā¢ A Current Profile specifies the Core outcomes that an organization
is currently achieving (or attempting to achieve) and characterizes
how or to what extent each outcome is being achieved.
ā¢ A Target Profile specifies the desired outcomes that an
organization has selected and prioritized for achieving its
cybersecurity risk management objectives. A Target Profile
considers anticipated changes to the organizationās cybersecurity
posture, such as new requirements, new technology adoption, and
threat intelligence trends.
18
Framework Profiles
19. 19
Steps for Creating and
Using Profiles
Replaced 3.2 Establishing or Improving a Cybersecurity Program (CSF 1.1):
Step 1: Prioritize and Scope, Step 2: Orient, Step 3: Create a Current Profile,
Step 4: Conduct a Risk Assessment, Step 5: Create a Target Profile,
Step 6: Determine, Analyze, and Prioritize Gaps, Step 7: Implement Action Plan
20. CSF Tier: A characterization of the rigor of an
organizationās cybersecurity risk governance and
management practices.
An organization can choose to use the Tiers to inform its
Current and Target Profiles.
New criteria for Tiers were presented in NIST CSF 2.0.
20
CSF Tiers: New criteria
CSF 1.1 CSF 2.0
ā¢ Risk Management
Process
ā¢ Integrated Risk
Management
Program
ā¢ External
Participation
ā¢ Cybersecurity Risk
Governance
ā¢ Cybersecurity Risk
Management
ā¢ Third-Party
Cybersecurity
Risks
26. 26
Significant Updates
1. Recognition of the broad use of the Framework
(New Title and wider Scope)
2. New Function, Govern, and changes in the Categories
and Subcategories
3. Increased guidance on CSF implementation
(Profiles and Examples)
4. Emphasized cybersecurity supply chain risk management
(C-SCRM) (see also NIST SP 800-161r1)
5. Clarified understanding of cybersecurity measurement
and assessment (see also NIST SP 800-55)
6. Alignment (and integration) with other Frameworks and
standards. (see also Cybersecurity and Privacy Reference
Tool (CPRT) - https://csrc.nist.gov/Projects/cprt)
27. 27
NIST CSF 2.0 vs
ISO 27001:2002
www.patreon.com/posts/99367389
29. 29
EU NIS 2 Directive and
NIST CSF 2.0 (mapping)
www.patreon.com/posts/nis-2-directive-99440176
30. Thanks, and good luck!
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
30
31. If you have viewed my previous presentation, these markers will help you identify
the differences between the draft and final versions of NIST CSF 2.0
31
New slide
Changes
No changes